Finance
Human Resources
Technology
Australian business

Privacy Act Changes for SMEs: What the Reforms Actually Require in 2026

A small business owner reviewing a privacy policy beside a timeline of Privacy Act reform dates from 2024 through December 2026.
Scale Suite manages finance and HR for growing Australian businesses. Drop the team a message here →

Most small business owners believe one of two wrong things about the Privacy Act: either that the under-$3 million exemption still makes the whole subject someone else’s problem, or that the exemption has already been abolished and they are somehow non-compliant today. The truth as at July 2026 sits precisely between them. The blanket exemption has not been repealed, but it is being dismantled around the edges: individuals can now sue directly for serious invasions of privacy regardless of your turnover, penalties for covered entities reach $50 million, and from 1 July 2026 more than 100,000 small businesses, accountants, lawyers, conveyancers, real estate professionals and others, lost the exemption for a slice of their data handling through a law most of them have never read. This guide lays out what is in force, what is dated, what is still only proposed, and the right-sized compliance baseline that makes all of it manageable.

Published: July 2026


The Reform Program in One Timeline

Australia’s privacy overhaul is arriving in staggered pieces, which is exactly why businesses miss the piece with their name on it.

  • In force now. The first tranche of reforms, the Privacy and Other Legislation Amendment Act 2024, took effect from December 2024, and its sharpest edge landed on 10 June 2025: a statutory tort for serious invasions of privacy, letting individuals sue directly for intentional or reckless invasions, physical or informational. Critically, the tort does not care about the small business exemption; a sole trader who recklessly exposes someone’s private information can be sued under it as readily as a bank. The same tranche introduced tiered penalties for entities covered by the Act, up to $50 million, three times the benefit obtained, or 30 per cent of adjusted turnover for serious interferences, plus infringement notices of up to $66,000 for lower-level failures such as not maintaining a compliant privacy policy, criminal offences for doxxing, and expanded OAIC enforcement powers.
  • 1 July 2026. The anti-money laundering expansion made accountants, tax and BAS agents, lawyers, conveyancers, real estate professionals, trust and company service providers, and dealers in precious metals and stones reporting entities under the AML/CTF regime, and for those businesses the Privacy Act now applies to personal information handled for AML/CTF purposes regardless of turnover. The OAIC estimates more than 100,000 small businesses were pulled inside the Act by this route, most without noticing, and the regulator has published dedicated guidance and a template collection notice for them.
  • 10 December 2026. Two further pieces land: automated decision-making transparency, requiring privacy policies to disclose where computer programs make or substantially inform decisions significantly affecting individuals, and the OAIC’s Children’s Online Privacy Code, setting obligations for services likely to be accessed by minors, with the exposure draft consulted on through mid-2026.
  • Proposed, not law. The second tranche of Privacy Act reforms, removal of the $3 million small business exemption, a “fair and reasonable” handling test, a right to erasure, an expanded definition of personal information reaching online identifiers, remains a government commitment being “progressed” with no Bill and no timetable as at July 2026, and with the Productivity Commission publicly critical of parts of it. Plan for it as direction, not as a deadline.

Finance and professional-services SMEs should treat privacy as an operations control alongside BAS and payroll, not a policy PDF on the website. Scale Suite builds those controls into standing finance services and people and HR support delivery for clients who cannot staff a compliance function. Start with the OAIC APP guidelines and the Notifiable Data Breaches scheme.


Who Is Actually Covered Today

Strip the noise and coverage in July 2026 resolves into four groups.

Covered regardless of turnover, always were: health service providers holding health information, businesses that trade in personal information, credit reporting bodies, and Commonwealth contractors. Plenty of small allied health, medical and wellness businesses have been fully covered for years without realising it.

Covered from 1 July 2026 for AML/CTF data handling: the newly designated professions above. The coverage is activity-scoped, it attaches to the personal information collected and used for AML/CTF purposes such as client identification and verification, but the practical effect for a small accounting or conveyancing practice is that Privacy Act disciplines, collection notices, security, breach response, now sit inside the client onboarding process itself, supervised by the OAIC alongside AUSTRAC.

Exposed regardless of coverage: every business, through the statutory tort. The tort is not an APP compliance regime, but it is a live litigation risk attached to reckless handling of private information, and it applies to the exempt corner store as much as the covered corporation.

Still exempt for now: the general under-$3 million business outside the categories above, for whom the APPs remain voluntary until tranche two arrives, and for whom the sensible posture is deliberate preparation rather than either panic or complacency.


Worked example: a 12-person advisory firm under $3 million

A hypothetical business advisory practice turns over $2.7 million, employs 12 staff, and from 1 July 2026 is a reporting entity for AML/CTF purposes. It is still under the general small business threshold for many activities, but client identification documents collected for AML now sit inside Privacy Act handling for that activity. The firm needs collection notices in onboarding, security around ID documents, retention discipline, and a notifiable breach plan. The partner who assumed “we are under $3 million so privacy does not apply” is wrong for the highest-risk data the firm holds. Budget a half-day data map, a real privacy policy, and multi-factor authentication across mail and file systems before the next client pack is issued.

If the firm also uses offshore processing capacity, cross-border rules stack on top. Read the architecture test in the hiring offshore finance staff guide and treat access control as a privacy control, not an IT nice-to-have.


The Notifiable Data Breaches Discipline

For every covered entity, and for every business that intends to be ready before it is compelled, the notifiable data breaches scheme is the obligation with a clock on it. Where a data breach is likely to result in serious harm to individuals, the entity must notify the OAIC and the affected individuals; where a breach is merely suspected, the entity has 30 days to assess whether it is notifiable. Thirty days sounds generous until it is day three of a live incident, the laptop is gone or the inbox is compromised, and nobody knows what data was in scope because nobody ever mapped it.

The scheme is why breach response cannot be improvised. The working parts are a data map (what personal information exists, where it lives, who can touch it), a written response plan naming who assesses, who decides and who notifies, and an evidence habit, because a business that assessed a suspected breach promptly and documented its reasoning is in a categorically different position from one that hoped the problem away. Small firms newly covered through the AML route should note that their client identification records, identity documents and verification data, are precisely the high-harm category the scheme was built around, and that the AML rules themselves push toward retaining minimal verification details rather than hoarding document copies.


Incident cost framing

A hypothetical practice loses a staff laptop containing unencrypted copies of 80 client identity packs. Even if encryption and remote wipe limit the actual harm assessment, legal advice, client communication, potential OAIC engagement and insurance excesses can still run $15,000 to $50,000 before any claim or complaint multiplies the cost. The control that would have reduced that figure, full-disk encryption, MFA, no local ID copies, costs a few hundred dollars and a process change. Privacy spend is cheap next to privacy failure.


The Right-Sized SME Baseline

Full enterprise privacy programs are the wrong tool for a twelve-person business. The right-sized baseline is seven items, most of them one-time builds with an annual review, and together they cover today’s obligations, the December dates and the direction of tranche two.

  • 1. A data audit, half a day. List the personal information the business actually holds, clients, staff, prospects, suppliers, where it is stored, which systems and people access it, and how long it is kept. Every other control depends on this map existing.
  • 2. A genuine privacy policy. Australian, current, and honest about your actual practices: what you collect, why, how it is secured, whether it goes offshore, how people complain. Covered entities must have one, infringement notices attach to not having a compliant one, and businesses using overseas teams should align it with their cross-border disclosure position.
  • 3. Collection notices where the AML rules bite. Newly covered practices should implement the OAIC’s collection notice approach inside client onboarding, telling clients what identification information is collected and why, subject to the tipping-off restrictions the AML regime imposes.
  • 4. A one-page breach response plan. Who contains, who assesses within the 30 days, who decides on notification, who tells the OAIC and clients, and where the incident log lives. Test it once a year with a tabletop scenario.
  • 5. Security proportionate to the data. Multi-factor authentication everywhere, access limited to roles that need it, encrypted devices, prompt offboarding of departed staff, and deletion or de-identification of information past its retention need. Data you no longer hold cannot breach.
  • 6. The December 2026 check. If software makes or substantially informs decisions that significantly affect individuals, automated screening, algorithmic pricing, AI triage, the privacy policy must say so by 10 December 2026; and services plausibly accessed by children should watch the final Children’s Code.
  • 7. An annual review rhythm. Privacy settings drift like every other control. A standing annual review, policy against practice, access lists against staff lists, retention against reality, is the difference between a framework and a document.

None of this is exotic, and all of it compounds: the same data map that satisfies a regulator shortens a cyber insurance application, and the same offboarding discipline that protects privacy protects the bank account. Building and maintaining that baseline, alongside the AML onboarding machinery the same firms are implementing this year, is exactly the kind of structured, unglamorous compliance work an embedded finance and HR team carries so owners are not reading exposure drafts at night. Pair privacy hygiene with payment controls covered in ordinary internal controls for small business practice, and keep employee records tidy as part of employee onboarding discipline.


Decision Framework: Exempt, Activity-Covered, or Fully Covered

If you are fully covered (health, trading in personal information, Commonwealth contractor, or turnover over $3 million), run the full baseline now and budget for OAIC-grade process, not a template policy alone.

If you are activity-covered for AML, prioritise collection notices, ID security, retention minima and breach response for verification data, then extend the same hygiene to the rest of the client file.

If you are still generally exempt, still implement the baseline because of the statutory tort, customer expectations, cyber insurance and the direction of tranche two. Preparation is cheaper than a rushed retrofit when the exemption finally moves.

Use the ATO compliance health check as a parallel discipline reminder: privacy is not tax, but both reward documented process over improvisation.


Related resources and next reading


FAQ

Does the Privacy Act apply to my small business in 2026?
If turnover is under $3 million, the blanket exemption still stands unless you fall into a covered category: health service providers, businesses trading in personal information, Commonwealth contractors, and, from 1 July 2026, businesses providing AML/CTF designated services such as accounting, legal, conveyancing and real estate work, for their AML-related data handling.

Has the $3 million small business exemption been removed?
No. Its removal is part of the proposed second tranche of reforms, which the government has confirmed it is progressing but has not introduced as a Bill and has not dated. The exemption is being eroded at the edges, most materially by the July 2026 AML expansion, but the blanket repeal is direction, not law.

What changed on 1 July 2026?
The AML/CTF regime expanded to accountants, tax and BAS agents, lawyers, conveyancers, real estate professionals, trust and company service providers and dealers in precious metals and stones. Those businesses became reporting entities, and the Privacy Act now applies to their handling of personal information for AML/CTF purposes regardless of turnover, with OAIC guidance and template notices available.

Can someone sue my exempt small business over privacy?
Yes, under the statutory tort in force since 10 June 2025, which allows individuals to sue for serious, intentional or reckless invasions of privacy and does not depend on the small business exemption. It is the reason careless handling of private information is now a litigation risk for every business, covered or not.

What are the penalties under the reformed Act?
For covered entities, serious interferences with privacy carry penalties up to $50 million, three times the benefit obtained or 30 per cent of adjusted turnover, whichever is greatest, with mid-tier penalties below that and infringement notices up to $66,000 for administrative failures such as a non-compliant privacy policy.

What is the notifiable data breaches scheme in practice?
Covered entities must notify the OAIC and affected individuals of breaches likely to cause serious harm, and must assess suspected breaches within 30 days. Meeting the clock requires a data map, a written response plan and documented assessments, none of which can be built mid-incident.

What is due on 10 December 2026?
Automated decision-making transparency, privacy policies must disclose where computer programs make or substantially inform decisions significantly affecting individuals, and the OAIC’s Children’s Online Privacy Code for services likely to be accessed by minors.

What should an exempt SME actually do now?
Run the half-day data audit, publish an honest privacy policy, write the one-page breach plan, tighten security basics, and diarise an annual review. It is a modest build that covers the statutory tort exposure today, positions the business for the December dates, and turns the eventual tranche two into a non-event.

Do employee records still get an exemption?
The employee records exemption still covers many employer acts relating to their own staff records, but it is not a free pass for TFNs, third-party providers, or reckless disclosures that engage the statutory tort. Treat staff data with the same security hygiene as client data.

Is a privacy policy alone enough compliance?
No. A policy that does not match practice is a liability. The policy is one control inside a set that includes the data map, access control, retention, breach plan and annual review.


About Scale Suite

Scale Suite is a Sydney-based provider of outsourced finance teams and fractional CFO services for Australian SMEs. We deliver weekly bookkeeping, payroll, BAS/IAS lodgement, cashflow reporting, management accounts, and strategic fractional CFO oversight, all as a fully embedded team that works inside your business.

CA-qualified, Xero Certified, and registered BAS Agents, we replace fragmented bookkeepers and once-a-year accountants with one responsive finance function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.

Visit Scale Suite | View Our Finance Services | View Our HR Services | Get Your Free Proposal


Disclaimer

We review and check this guide periodically. At the time of writing (July 2026), all information was current. Scale Suite is a registered BAS Agent, not a licensed tax advisor or financial advisor. This content is general information only and does not constitute professional tax, financial, or legal advice. Some details may change over time.


Sources

  • Privacy Act 1988 (Cth) and the Privacy and Other Legislation Amendment Act 2024 (https://www.legislation.gov.au)
  • Office of the Australian Information Commissioner, guidance for reporting entities under the AML/CTF Act and notifiable data breaches scheme resources (https://www.oaic.gov.au)
  • Office of the Australian Information Commissioner, Australian Privacy Principles guidelines (https://www.oaic.gov.au/privacy/australian-privacy-principles)
  • Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, tranche two designated services from 1 July 2026 (https://www.legislation.gov.au)
  • AUSTRAC guidance for tranche two reporting entities (https://www.austrac.gov.au)
  • Attorney-General’s Department, Privacy Act Review and government response on second tranche reforms

About Scale Suite

Scale Suite is a Sydney-based provider of outsourced finance and HR services for Australian SMEs. We deliver bookkeeping, financial reporting, payroll processing, fractional CFO support, recruitment, employee onboarding, people and culture support, and fractional HR oversight, all as a fully embedded team that works inside your business.

Employment Hero Gold Partner, CA-qualified, and Xero Certified, we replace fragmented finance and HR processes with one responsive, senior-level function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.

Contact us

Book Your Free Assessment

30 minutes with our team.

We'll review your current finance setup, compare the full cost of an internal hire against our embedded team, and show you exactly what your finance function should cost at your stage of growth.

You'll leave with a clear view of what's working, what's missing, and where you'd save.

No lock-in contracts. 30-day money-back guarantee.

Prefer to book directly?
Grab a time here.

Thanks, you're in. Grab a time below.
Pick a 30-min slot that works and we'll see you there.

Prefer us to call you? We'll reach out with the details you've provided.
Oops! Something went wrong while submitting the form.
"A collage of five people in circular frames: a woman smiling by a blue door, a young man in an apron, a man in a shirt near shelves, a woman with long hair in an office, and a man in profile view."

Book your free 30-minute strategy call now

Schedule My Call